Interesting combo

I installed beta El Capitan on my Macbook Pro, trying to get here with Chrome, security alert says this site Cert is not valid/not high enough encryption for HTTPS access and the site wont load. Get here just fine with Yosemite and Chrome on iOS 8

The problem with Google complaining about TLS 1.2 is there's nothing to replace it yet. TLS 1.3 is still in draft format and lord knows when the RFC will be finalized. Google is doing nothing more than fear mongering as there isn't anything that can take the place of TLS 1.2. It's all we have right now and until TLS 1.3 is finalized, Google needs to STFU.

Both operating systems — OS X El Capitan and iOS 9 — are tight. But try to run Chrome, or other applications that have a high amount of connectivity to the Web, and you will get crashes and warnings all over the place.

When these applications connect, you either get warnings in Safari, nice invalid certification indications in Chrome, or impeded application functionality entirely. As a result, I realized that a lot of application certificates are not 1024-bit or higher.

To add insult to injury, around the same time of the Apple Developer beta launch, Google released an update to Chrome which also flags sites with certificates issued by authorities that do not have public audit records. This is a somewhat philosophical problem versus a technical one, but still not pretty. This forces certificate authorities (CA) to disclose who they give certificates to — which does help ween out hackers who are phishing behind fake security.

Chrome 41 (Branch point in Q1 2015)
Sites with end-entity certificates that expire between 1 January 2016 and 31 December 2016 (inclusive), and which include a SHA-1-based signature as part of the certificate chain, will be treated as “secure, but with minor errors”.

Sites with end-entity certificates that expire on or after 1 January 2017, and which include a SHA-1-based signature as part of the certificate chain, will be treated as “affirmatively insecure”. Subresources from such domain will be treated as “active mixed content”.

The current visual display for “affirmatively insecure” is a lock with a red X, and a red strike-through text treatment in the URL scheme.Note: SHA-1-based signatures for trusted root certificates are not a problem because TLS clients trust them by their identity, rather than by the signature of their hash.

Click to expand...

Here is another view of the same thing I see when trying to log in here with Chrome and El Capitan.

Currently Chrome-based browsers with this build have zero ability to let the user ignore the lockout and continue to the site as they did in the past, the "proceed" button and hidden code appears to be no longer available.

Our certificate was signed using SHA-2 and was a 2 year issue (well under the 38 month mandate). Complaining about the expiration date without taking into account when it was issued is going to result in a LOT of unhappy admins beating Google up.

Edit -- I just fired up Chrome and tested the site. Certificate showed a nice pretty shade of green to me (in Windows 10).

I'll double check the cipher encryptions again to see if further tweaking can be done, but I don't think it's possible without affecting a lot of older systems that can't utilize the newer cipher routines.

Our certificate was signed using SHA-2 and was a 2 year issue (well under the 38 month mandate). Complaining about the expiration date without taking into account when it was issued is going to result in a LOT of unhappy admins beating Google up.

Click to expand...

And that's part of the bug/issue/whatever, it seems to be balking about the connection encryption type..

The cert here when accessing with Chrome on a Mac (On both El Capitan AND Yosemite) shows the connection is encrypted with only SHA-1

This is what the cert says on my Mac with Yosemite

Your connection to Global Affairs is encrypted using an obsolete cipher suite.

The connection uses TLS 1.2.

The connection is encrypted using AES_256_CBC, with HMAC-SHA1 for message authentication and ECDHE_RSA as the key exchange mechanism.

Click to expand...

With Chrome on El Capitan:

This site uses a weak security configuration (SHA-1 signatures), so your connection may not be private.

The identity of this website has been verified by COMODO RSA Domain Validation Secure Server CA but does not have public audit records.

The site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it.